Digital Forensics. Larry Daniel

Transcription

1 Digital Forensics Larry Daniel

2 Introduction A recent research report from The Yankee Group found that 67.6 percent of US households in 2002 contained at least one PC The investigators foresee three-quarters of all US households containing PCs by 2007.

3 Introduction The UCLA study found that surprising numbers of households have more than one PC. In cases where more than one PC is present, the home computers are often networked. As of December of 2005, 71.4% of US households have computers.

4 Some Famous Criminal Cases Scott Peterson Internet history showing searches for dump sites. Michelle Theer and other documents. (Over 20 thousand documents) Michael Jackson Internet history and . BTK Killer Used to trace letter back to church computer.

5 Different Sides Different Roles Prosecution Side Sworn Law Enforcement Officer Writes Search Warrants Receives Evidence Computers, etc. Acquires Images, Analyzes Data Presents findings to Prosecutors and Detectives May not be involved again until arrest is made or case goes to trial.

6 Different Sides Different Roles Defense Side Private Expert Receives Evidence from Law Enforcement Agency. Consults with Attorney on Relevant Facts Active Member of Defense Team May Review Other Evidence to Enhance Computer Analysis May Interview Defendant May Work with Other Experts.

7 The basic computer looks like these. Some Basics

8 Common Misteaks Calling these monitors, CPUs, Hard Drives, etc.

9 Monitors Newer LCD on Left Older Analog CRT on Right Nothing is stored in these. They just make pretty pictures.

13 Inside The Computer RAM Random Access Memory Only contains data while the computer is turned on. Temporary processing storage only used while operating the computer. Is cleared when the computer shuts down or restarts.

16 Acquisition First contact with the original evidence. Most critical time for protecting the originals. Most likely time for police or others to damage or change evidence. General rules MUST be followed to preserve and protect evidence during this critical first response period. First point in establishing chain of custody.

21 Acquisition First responders should be trained to handle this type of evidence. Digital evidence is fragile. Digital evidence is easily altered if not handled properly. Simply turning a computer on or operating the computer changes and damages evidence.

22 Fragile Nature of Digital Evidence "The problem is the uninitiated police officer who will go in and turn on a computer to look to see if it's worthwhile to send the computer in for examination," said Peter Plummer, assistant attorney general in Michigan's high-tech crime unit. "When you boot up a computer, several hundred files get changed, the date of access, and so on," Plummer said. "Can you say that computer is still exactly as it was when the bad guy had it last?" Source: AP Article from Computers Today Section

23 Fragile Nature of Digital Evidence The nature of computer based evidence makes it inherently fragile. Data can be erased or changed without a trace, impeding an investigator s job to find the truth. The efforts of first responders are critical to ensure that the evidence is gathered and preserved in a simple, secure, and forensically sound manner. Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations

24 Fragile Nature of Digital Evidence Fragile data are those things stored on the hard drive but that can be easily altered, especially by a first responder trying to determine if an incident has occurred. These could include access dates on files or temporary files. Once these files have been altered by a first responder, there is no way to recover the original data. Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations

25 Fragile Nature of Digital Evidence The simple act of turning a computer on can destroy or change critical evidence and render that evidence useless. Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit Even the normal operation of the computer can destroy computer evidence that might be lurking in unallocated space, file slack, or in the Windows swap file. Computer Forensics, Computer Crime Scene Investigation, 2 nd Ed. John R. Vacca

26 Fragile Nature of Digital Evidence The next 3 slides demonstrate what happens when you operate a computer. Evidence is modified. Evidence is destroyed. Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations

27 Files In Original Condition

28 Files After Opening and Viewing The last accessed date and time changes any time a file is opened and viewed while the computer is in operation.

29 Files After Saving The last written date and time changes any time a file is saved or copied while the computer is in operation.

30 Seizing Computer Evidence General Guidelines

31 General Guidelines for Seizing Computers and Digital Evidence Seizing a Stand-Alone Home Computer in a Residence If the computer is powered off, DO NOT turn it on. If the computer is powered on, do not allow the suspect or any associate to touch it. Offers to shut the computer down may be a ruse to start a destructive program that may destroy the evidence. This can be done with one keystroke. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

32 General Guidelines for Seizing Computers and Digital Evidence Before touching the computer, place an unformatted or blank floppy disk into the floppy disk drive(s), document, videotape and/or photograph the computer system, and write detailed notes about what is on the computer s screen. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

33 General Guidelines for Seizing Computers and Digital Evidence Photograph the back of the computer and everything that is connected to it. Photograph and label the back of any computer components with existing connections to the computer. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

34 General Guidelines for Seizing Computers and Digital Evidence If you have a computer specialist on the scene, he will have been trained to recognize the operating system and will know the proper way to shut down the computer system without altering files or losing any evidence. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

35 General Guidelines for Seizing Computers and Digital Evidence If you do not have a computer specialist on the scene, the safest way to turn off a Windows 98/95/3.1/DOS computer, is to Pull the plug from the back of the computer. Pulling the plug could severely damage the system; disrupt legitimate business, and create officer and department liability. It is especially important to have a specialist available when dealing with business computers, networked computers and computers based on Macintosh, Windows NT, and Unix/Linux operating systems. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

36 General Guidelines for Seizing Computers and Digital Evidence After shutting the computer down and powering the computer off: Disconnect all power sources; unplug the power cords from the wall and the back of the computer. Notebook computers may need to have their battery removed. Place evidence tape over each drive slot, the power supply connector, and any other opening into the computer. This should include sealing the case itself Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

37 General Guidelines for Seizing Computers and Digital Evidence Only specially trained and qualified Computer Forensic Investigators working in a laboratory setting should analyze computers and other forms of digital evidence. The simple act of turning a computer on can destroy or change lritical evidence and render that evidence useless. The Maryland State Police Computer Forensics Laboratory will not routinely accept digital evidence for analysis if that evidence has been tainted though handling by unqualified personnel. Source: Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit

38 Preservation Once digital evidence is seized it must be handled carefully to preserve and protect the evidence. Everything should be tagged. No one should operate or preview any evidence on writable media without proper tools and training. Forensically sound copies of all original evidence must be made before analysis. Records must be kept.

39 Analysis Analysis involves recovering and analyzing evidence for relevance to the case. Accepted tools should be used. Search and analysis must be within the scope of the warrant. Bench notes should be kept by the examiner.

43 Analysis Metadata Many types of files contain metadata. Metadata is information embedded in the file itself that contains information about the file. Microsoft Office Documents Computer name Total Edit Time Number of editing sessions. Where printed. Number of times saved. Digital camera pictures. Make and model of camera Dates and times

44 Document Metadata

45 Picture Metadata

46 Internet History Before Clearing

47 Internet History After Clearing

48 Presentation Court presentation for a jury must be simple and straightforward. Timelines s Documents Pictures

49 How Computer Evidence is Used Verify Alibis Establish Relationships Between Defendant and Victim or Accomplices Establish Documentation of Events Establish Mitigating Circumstances Documents for use by Forensic Psychologists Document Time Lines

Overview of Computer Forensics Don Mason, Associate Director National Center for Justice and the Rule of Law University of Mississippi School of Law [These materials are based on 4.3.1-4.3.3 in the National

1 Chapter 7 Securing Information Systems LEARNING TRACK 3: COMPUTER FORENSICS For thirty years, a serial murderer known as the BTK killer (standing for bind, torture, and kill) remained at large in Wichita,

CHAPTER 18 CYBER CRIMES 18.1 With increased use of computers in homes and offices, there has been a proliferation of computer-related crimes. These crimes include: Crimes committed by using computers as

Computer Forensics and What Is, and Is Not, There on Your Client s Computer Rick Lavaty, Computer Systems Administrator, District of Arizona Eddy Archibeque, Computer Systems Administrator, District of

Computer Forensics as an Integral Component of the Information Security Enterprise By John Patzakis 10/28/03 I. EXECUTIVE SUMMARY In addition to fending off network intrusions and denial of service attacks,

Scientific Working Group on Digital Evidence Best Practices for Computer Forensics Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification

Best Practices For Seizing Electronic Evidence v.3 A Pocket Guide for First Responders U.S. Department of Homeland Security United States Secret Service BEST PRACTICES FOR SEIZING ELECTRONIC EVIDENCE This

Computer Forensics 17 CHAPTER In this chapter, you will Learn the rules and types of evidence Review the collection of evidence Study the preservation of evidence Discover the importance of a viable chain

ITU Session Four: Device Imaging And Analysis Mounir Kamal Q-CERT 2 Applying Forensic Science to Computer Systems Like a Detective, the archaeologist searches for clues in order to discover and reconstruct

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers

A+ Guide to Managing and Maintaining Your PC, 7e Chapter 16 Fixing Windows Problems Objectives Learn what to do when a hardware device, application, or Windows component gives a problem Learn what to do

Getting Physical with the Digital Investigation Process Brian Carrier Eugene H. Spafford Center for Education and Research in Information Assurance and Security CERIAS Purdue University Abstract In this

Technical Procedure for Evidence Search 1.0 Purpose - The purpose of this procedure is to provide a systematic means of searching digital evidence in order to find data sought by the search authorization.

Ten Deadly Sins of Computer Forensics Cyber criminals take advantage of the anonymity of the Internet to escape punishment. Computer Forensics has emerged as a new discipline to counter cyber crime. This

What is computer forensics? The preservation, recovery, analysis and reporting of digital artifacts including information stored on computers, storage media (such as a hard disk or CD-ROM), an electronic

Use Case SOLVING VIOLENT CRIMES WITH A UNIFIED WORKFLOW In a Violent Home Invasion Investigation, the UFED Series Seamlessly Unifies Workflows from Field to Lab A series of violent home invasions has everyone

Can Computer Investigations Survive? An Examination of Microsoft and its Effect on Computer Forensics December 2001 by Kimberly Stone and Richard Keightley 2001 Guidance Software All Rights Reserved Executive

On the Trail of the Craigslist Killer: A Case Study in Digital Forensics Presenters: Sharon Nelson and John Simek President and Vice President, Sensei Enterprises www.senseient.com snelson@senseient.com;

Windows 7 for beginners Hardware Hardware: the physical parts of a computer. What s in the computer? CPU: the central processing unit processes information (the brain) Hard drive: where all of your software

File System Forensics FAT and NTFS 1 FAT File Systems 2 File Allocation Table (FAT) File Systems Simple and common Primary file system for DOS and Windows 9x Can be used with Windows NT, 2000, and XP New

Congratulations on your purchase of the GIGABYTE Notebook. This manual will help you to get started with setting up your notebook. The final product configuration depends on the model at the point of your

Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification by e-mail before or contemporaneous to the introduction of this document, or

Chapter 22 CONCEPT MAPPING FOR DIGITAL FORENSIC INVESTIGATIONS April Tanner and David Dampier Abstract Research in digital forensics has yet to focus on modeling case domain information involved in investigations.

Forensic Triage in a Multi-TB Era Ady Cassidy, Nuix Ady Cassidy Systems Consultant Nuix Ady is a computer forensic investigator and ediscovery consultant with more than 10 years experience as a Computer

Congratulations on your purchase of the GIGABYTE Notebook. This manual will help you to get started with setting up your notebook. The final product configuration depends on the model at the point of your

Data Recovery Cable Quick Start Guide DISCLAIMER: any repair or computer recovery should be done by a professional, trained computer technician. Do any of the below steps at your own risk. We are not responsible

Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices

1 of 5 9/27/2006 3:52 PM Forensics on the Windows Platform, Part Two Jamie Morris 2003-02-11 Introduction This is the second of a two-part series of articles discussing the use of computer forensics in

Computer Components Study Guide In this lesson, we will briefly explore the basics of identifying the parts and components inside of a computer. This lesson is used to introduce the students to the inside